1. Home
  2. Techniques
  3. Enterprise
  4. 有效账户

有效账户

ID Name
T1078.001 非活跃账户劫持
T1078.002 权限梯度提升

有效账户滥用是指攻击者通过窃取或冒用合法用户凭证,在目标系统中实施未授权操作的技术手段。该技术之所以具有高威胁性,源于其利用系统既有的身份验证机制,使得恶意活动在表面层符合安全策略要求。传统检测方法主要依赖异常登录分析(非常规时间/地点登录)、权限变更监控以及账户活动审计,防御措施包括多因素认证强化、账户生命周期管理和权限最小化原则实施。

为规避基于凭证异常使用的检测机制,攻击者发展出多层次、渐进式的账户滥用匿迹技术,通过休眠账户激活、权限梯度提升、凭证隐蔽存储及MFA协议漏洞利用等手段,将恶意操作嵌入正常的账户管理流程,实现"合法外衣下的隐蔽攻击"。

现有有效账户匿迹技术的核心逻辑在于深度利用身份管理体系的固有特性与安全实践的潜在缺陷:非活跃账户劫持技术利用组织账户生命周期管理的盲区,通过低频活动模式模仿规避异常检测;权限梯度提升技术将提权过程分解为符合内部审批流程的合法操作序列,避免触发权限突变告警。技术的共性在于突破传统凭证滥用的单点对抗模式,通过系统化地模仿组织内部的账户管理实践,构建出与正常用户行为高度融合的攻击链。

匿迹技术的演进导致传统基于单次认证异常或权限突变的检测模型面临严峻挑战,防御方需构建账户行为图谱分析、权限变更意图识别等能力,实施细粒度的会话上下文监控,并引入基于用户实体行为分析(UEBA)的异常检测体系,实现对隐蔽凭证滥用攻击的精准识别。

ID: T1078
Sub-techniques:  T1078.001, T1078.002
Platforms: Containers, IaaS, Identity Provider, Linux, Network, Office Suite, SaaS, Windows, macOS
Permissions Required: Administrator, User
Effective Permissions: Administrator, User
Defense Bypassed: Anti-virus, Application Control, Firewall, Host Intrusion Prevention Systems, Network Intrusion Detection System, System Access Controls
Contributors: Jon Sternstein, Stern Security; Mark Wee; Menachem Goldstein; Netskope; Praetorian; Prasad Somasamudram, McAfee; Sekhar Sarukkai, McAfee; Syed Ummar Farooqh, McAfee; Yossi Weizman, Azure Defender Research Team
Version: 2.7
Created: 31 May 2017
Last Modified: 15 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过伪造账户属性和权限特征,使恶意账户在权限策略审查中呈现合法表象,克隆账户继承原始用户的部门、职位等元数据。通过模仿用户操作习惯,使用常见的登录时间和访问模式来伪装正常用户的活动特征,降低检测系统基于特征识别的有效性,从而避免防御者基于账户行为模式的检测,提高了攻击的隐蔽性。

时空释痕

非活跃账户劫持技术通过低频次、周期性的账户活动(如每月单次登录),将攻击行为分散在长达数月的时段中。权限梯度提升技术通过严格遵循目标组织的权限审批流程和操作规范,将提权过程拆解为多个符合管理制度的微操作。单个步骤均处于正常权限变更的容忍阈值内,使得基于行为日志的检测系统难以识别异常。

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack

During the 2015 Ukraine Electric Power Attack, Sandworm Team used valid accounts on the corporate network to escalate privileges, move laterally, and establish persistence within the corporate network. [1]
G1024 Akira

Akira uses valid account information to remotely access victim networks, such as VPN credentials.[2][3]
G0026 APT18

APT18 actors leverage legitimate credentials to log into external remote services.[4]
G0007 APT28

APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.[5][6][7][8]
G0016 APT29

APT29 has used a compromised account to access an organization's VPN infrastructure.[9]
G0064 APT33

APT33 has used valid accounts for initial access and privilege escalation.[10][11]
G0087 APT39

APT39 has used stolen credentials to compromise Outlook Web Access (OWA).[12]
G0096 APT41

APT41 used compromised credentials to log on to other systems.[13][14]
G0001 Axiom

Axiom has used previously compromised administrative accounts to escalate privileges.[15]
C0032 C0032

During the C0032 campaign, TEMP.Veles used compromised VPN accounts.[16]
G0008 Carbanak

Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars.[17]
G0114 Chimera

Chimera has used a valid account to maintain persistence via scheduled task.[18]
G1021 Cinnamon Tempest

Cinnamon Tempest has used compromised user accounts to deploy payloads and create system services.[19]
G0035 Dragonfly

Dragonfly has compromised user credentials and used valid accounts for operations.[20][21][22]
S0567 Dtrack

Dtrack used hard-coded credentials to gain access to a network share.[23]
S0038 Duqu

Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.[24]
G0051 FIN10

FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor.[25]
G0085 FIN4

FIN4 has used legitimate credentials to hijack email communications.[26][27]
G0053 FIN5

FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment.[28][29][30]
G0037 FIN6

To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes.[31][32][33]
G0046 FIN7

FIN7 has harvested valid administrative credentials for lateral movement.[34]
G0061 FIN8

FIN8 has used valid accounts for persistence and lateral movement.[35]
G0117 Fox Kitten

Fox Kitten has used valid credentials with various services during lateral movement.[36]
G0093 GALLIUM

GALLIUM leveraged valid accounts to maintain access to a victim network.[37]
C0038 HomeLand Justice

During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts.[38]
G1032 INC Ransom

INC Ransom has used compromised valid accounts for access to victim environments.[39][40][41][42]
G0119 Indrik Spider

Indrik Spider has used valid accounts for initial access and lateral movement.[43] Indrik Spider has also maintained access to the victim environment through the VPN infrastructure.[43]
S0604 Industroyer

Industroyer can use supplied user credentials to execute processes and stop services.[44]
G0004 Ke3chang

Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts.[45]
S0599 Kinsing

Kinsing has used valid SSH credentials to access remote hosts.[46]
G1004 LAPSUS$

LAPSUS$ has used compromised credentials and/or session tokens to gain access into a victim's VPN, VDI, RDP, and IAMs.[47][48]
G0032 Lazarus Group

Lazarus Group has used administrator credentials to gain access to restricted network segments.[49]
G0065 Leviathan

Leviathan has obtained valid accounts to gain initial access.[50][51]
S0362 Linux Rabbit

Linux Rabbit acquires valid SSH accounts through brute force. [52]
G0045 menuPass

menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments.[53][54][55][56]
C0002 Night Dragon

During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems.[57]
G0049 OilRig

OilRig has used compromised credentials to access other systems on a victim network.[58][59][14][60]
C0014 Operation Wocao

During Operation Wocao, threat actors used valid VPN credentials to gain initial access.[61]
G0011 PittyTiger

PittyTiger attempts to obtain legitimate credentials during operations.[62]
G1040 Play

Play has used valid VPN accounts to achieve initial access.[63]
G1005 POLONIUM

POLONIUM has used valid compromised credentials to gain access to victim environments.[64]
G0034 Sandworm Team

Sandworm Team have used previously acquired legitimate credentials prior to attacks.[65]
S0053 SeaDuke

Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.[66]
G0091 Silence

Silence has used compromised credentials to log on to other systems and escalate privileges.[67]
G0122 Silent Librarian

Silent Librarian has used compromised credentials to obtain unauthorized access to online accounts.[68]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used different compromised credentials for remote access and to move laterally.[69][70][71]
G1033 Star Blizzard

Star Blizzard has used stolen credentials to sign into victim email accounts.[72][73]

G0039 Suckfly

Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner.[74]
G0027 Threat Group-3390

Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.[75]
G1017 Volt Typhoon

Volt Typhoon relies primarily on valid credentials for persistence.[76]
G0102 Wizard Spider

Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers.[77][78]

Mitigations

ID Mitigation Description
M1036 Account Use Policies

Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[79]
M1015 Active Directory Configuration

Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead.
M1013 Application Developer Guidance

Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
M1032 Multi-factor Authentication

Implement multi-factor authentication (MFA) across all account types, including default, local, domain, and cloud accounts, to prevent unauthorized access, even if credentials are compromised. MFA provides a critical layer of security by requiring multiple forms of verification beyond just a password. This measure significantly reduces the risk of adversaries abusing valid accounts to gain initial access, escalate privileges, maintain persistence, or evade defenses within your network.
M1027 Password Policies

Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.[80] When possible, applications that use SSH keys should be updated periodically and properly secured.

Policies should minimize (if not eliminate) reuse of passwords between different user accounts, especially employees using the same credentials for personal accounts that may not be defended by enterprise security resources.
M1026 Privileged Account Management

Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. [81] [82] These audits should also include if default accounts have been enabled, or if new local accounts are created that have not been authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. [83]
M1018 User Account Management

Regularly audit user accounts for activity and deactivate or remove any that are no longer needed.
M1017 User Training

Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.

Detection

ID Data Source Data Component Detects
DS0028 Logon Session Logon Session Creation

Monitor for newly constructed logon behavior that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
Logon Session Metadata

Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.
DS0002 User Account User Account Authentication

Monitor for an attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

References

  1. Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.
  2. Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024.
  3. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.
  4. Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017.
  5. Hacquebord, F.. (2017, April 25). Two Years of Pawn Storm: Examining an Increasingly Relevant Threat. Retrieved May 3, 2017.
  6. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  7. MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.
  8. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  9. Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.
  10. Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
  11. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  12. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  13. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  14. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  15. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  16. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  17. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  18. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
  19. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
  20. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  21. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  22. CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.
  23. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  24. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  25. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  26. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  27. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  28. Scavella, T. and Rifki, A. (2017, July 20). Are you Ready to Respond? (Webinar). Retrieved October 4, 2017.
  29. Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.
  30. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  31. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  32. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  33. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  34. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  35. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  36. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  37. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  38. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  39. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
  40. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
  41. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
  42. Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024.
  1. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  2. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  3. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  4. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  5. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  6. Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022.
  7. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  8. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  9. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  10. Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.
  11. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  12. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  13. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
  14. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  15. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  16. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
  17. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  18. Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.
  19. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  20. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.
  21. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
  22. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  23. US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020.
  24. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  25. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  26. DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021.
  27. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  28. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  29. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  30. Microsoft Threat Intelligence. (2022, August 15). Disrupting SEABORGIUM’s ongoing phishing operations. Retrieved June 13, 2024.
  31. CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.
  32. DiMaggio, J. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
  33. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  34. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  35. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  36. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  37. Microsoft. (2022, December 14). Conditional Access templates. Retrieved February 21, 2023.
  38. US-CERT. (n.d.). Risks of Default Passwords on the Internet. Retrieved April 12, 2019.
  39. Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.
  40. Microsoft. (2016, April 16). Implementing Least-Privilege Administrative Models. Retrieved June 3, 2016.
  41. Plett, C., Poggemeyer, L. (12, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017.